Emotet compromised more than 4 million mailboxes and in January this year, Europol, the FBI and law enforcement agencies from around the world, including Canada, the Netherlands, France, Germany, Lithuania, Great Britain and Ukraine, conducted a large-scale coordinated operation to eliminate the Emotet botnet. Preparations for the operation lasted two years.
Law enforcers managed to seize control of the Emotet infrastructure, disrupting its work. As a result, the criminals were no longer able to use the hacked machines, and the malware stopped spreading to new targets.When the Emotet C&C servers were taken over by the German Federal Criminal Police Office (Bundeskriminalamt), it was used to deploy a special update to all infected hosts.
However, even after that, many mailboxes remained compromised, as for years users were tricked into infecting their computers with Emotet. Let me remind you that the malware stole passwords from browsers and email clients, gaining access to victims’ mailboxes. There it was embedded in old email threads, sending new messages to known contacts containing malicious Office documents.
Earlier, representatives of the FBI and the Dutch National Unit for the Fight against Serious Technical Crimes shared with the well-known leak aggregator Have I Been Pwned 4,324,770 email addresses that Emotet used.
A smaller list containing 1,300,000 addresses was received from law enforcement officers and representatives of the Spamhaus organization. Since mid-April, the organization has been engaged in contacting the email companies behind the specified addresses, asking them to protect the affected accounts by resetting their passwords. In total, during this time Spamhaus contacted 22,000 domain owners and 3,000 organizations that owned the hacked mailboxes.
Now, two months later, Spamhaus reports that more than 60% of the received list of addresses are re-protected and returned to their owners. Experts point out that this is a very important step, since the Emotet operators are still at large, and access to these mailboxes could be sold to other criminals or used by hackers themselves if they decide to go back to business.